Conversation
update CVE Signed-off-by: Damien <[email protected]>
Signed-off-by: Damien <[email protected]>
Signed-off-by: Damien <[email protected]>
📝 WalkthroughWalkthroughMise à jour de la configuration du cache Docker BuildKit du workflow GitHub Actions pour utiliser des caches scoppés par workflow et type de base de données; ajout d'un nouveau workflow de scan de licences; et mise à jour des exigences Node/npm et des dépendances Fastify et nodemailer dans Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
backend/package.json (1)
15-21: Ajoutezengines.nodepour documenter le support Node.js 20+ requis par Fastify v5.Fastify v5 ne supporte que Node.js 20+. Bien que vos Dockerfiles s'appuient déjà sur
node:20-alpineetnode:20-slim, ajouter le champenginesdanspackage.jsonformalisera cette contrainte et protégera les installations npm hors conteneur. Aucun pattern Fastify v4 supprimé n'a été détecté dans le code.Proposition minimale
"name": "filyo-backend", "version": "1.0.0", "description": "Filyo - File transfer backend", "main": "dist/index.js", + "engines": { + "node": ">=20" + }, "scripts": {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@backend/package.json` around lines 15 - 21, Add an engines.node entry to package.json to document and enforce the Node.js 20+ requirement for Fastify v5: update the root package.json to include an "engines" object with "node": ">=20" (or ">=20.0.0") so npm/yarn will warn when installing on older Node versions; ensure you modify the backend package.json's top-level JSON (the engines.node symbol) and run a quick npm install locally to verify no JSON syntax errors.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@backend/package.json`:
- Line 26: The package.json lists "nodemailer": "^7.0.11" but still depends on
the older "@types/nodemailer" v6; update the devDependency "@types/nodemailer"
to the matching major v7 (e.g., "^7.0.1") in package.json and reinstall
(npm/yarn) so TypeScript uses the correct v7 type definitions for nodemailer
throughout the codebase.
---
Nitpick comments:
In `@backend/package.json`:
- Around line 15-21: Add an engines.node entry to package.json to document and
enforce the Node.js 20+ requirement for Fastify v5: update the root package.json
to include an "engines" object with "node": ">=20" (or ">=20.0.0") so npm/yarn
will warn when installing on older Node versions; ensure you modify the backend
package.json's top-level JSON (the engines.node symbol) and run a quick npm
install locally to verify no JSON syntax errors.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 13714aa5-19d2-43a9-a628-6243be66a9db
📒 Files selected for processing (2)
.github/workflows/docker.ymlbackend/package.json
Updated Node.js and npm engine requirements and upgraded nodemailer types. Signed-off-by: Damien <[email protected]>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@backend/package.json`:
- Around line 4-7: The engines constraint in package.json is inconsistent:
"node": ">=20.0.0" conflicts with "npm": ">=10.0.0" because Node 20.0.0 bundles
npm 9.x; update the engines to be consistent by raising the Node lower bound to
">=20.8.0" (which includes npm 10.5.0+) or alternatively lower the npm
requirement; edit the "engines" object (the "node" and "npm" fields) to use a
matching pair (recommend setting "node" to ">=20.8.0" to satisfy the current
"npm": ">=10.0.0").
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 557d9585-33e7-4027-b7bb-dc2dcd5442c2
📒 Files selected for processing (1)
backend/package.json
Signed-off-by: Damien <[email protected]>
Signed-off-by: Damien <[email protected]>
Signed-off-by: Damien <[email protected]>
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/license-checker.yml:
- Around line 22-23: Modifier les deux étapes qui exécutent "npm ci" et "npx
license-checker --production --json > licenses-frontend-production.json" pour
éviter l'exécution des hooks d'installation : ajoutez l'option --ignore-scripts
à la commande npm ci (ex. npm ci --ignore-scripts) et empêchez les scripts lors
de l'appel à npx en définissant la variable d'environnement
NPM_CONFIG_IGNORE_SCRIPTS=1 autour de l'exécution du licence-checker (ou
équivalent), puis appliquez la même modification pour l'autre paire de lignes
mentionnées (les commandes aux lignes 34-35).
- Around line 7-10: Ajoutez des permissions minimales au job "license-scan" en
définissant la clé permissions avec le scope minimal requis (par exemple
permissions: contents: read) sous le bloc du job "license-scan" dans le
workflow; cela remplace les droits hérités du GITHUB_TOKEN et limite l’accès
durant l’exécution du job.
- Line 12: Replace mutable GitHub Action tags (e.g., the uses:
actions/checkout@v4 entries and other similar uses: actions/*@vX lines) with the
corresponding immutable full 40-character commit SHAs and append a comment with
the human-readable tag (e.g., uses:
actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7); update
every occurrence of the short tag in the workflow (the checkout and other
actions referenced in this diff) to use their pinned SHAs and keep the version
comment for clarity and future Dependabot updates.
- Line 23: The workflow currently uses an unfixed npx invocation ("npx
license-checker --production --json > licenses-frontend-production.json") which
causes non-reproducible runs; add "license-checker" to devDependencies in both
frontend and backend package.json files and update the workflow step to call it
via "npm exec -- license-checker ..." instead of npx so the job uses the pinned
devDependency version and yields reproducible results.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c6c3982f-b0da-41e4-a602-cd3785875f86
📒 Files selected for processing (1)
.github/workflows/license-checker.yml
| jobs: | ||
| license-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
Définir des permissions minimales pour le workflow.
Le workflow ne définit pas permissions; il hérite donc des permissions par défaut du GITHUB_TOKEN. Pour ce job, contents: read suffit généralement et réduit le risque en cas d’abus d’un package/script CI.
🔐 Correctif proposé
name: License scan
on:
push:
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
license-scan:
runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/license-checker.yml around lines 7 - 10, Ajoutez des
permissions minimales au job "license-scan" en définissant la clé permissions
avec le scope minimal requis (par exemple permissions: contents: read) sous le
bloc du job "license-scan" dans le workflow; cela remplace les droits hérités du
GITHUB_TOKEN et limite l’accès durant l’exécution du job.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/license-checker.ymlRepository: Mouette03/Filyo
Length of output: 1356
🌐 Web query:
GitHub Actions pinning commit SHA vs version tags security best practices
💡 Result:
Security best practices for GitHub Actions recommend pinning actions to a full-length commit SHA rather than version tags for maximum security. This ensures immutability, preventing malicious updates to tags by repository owners or attackers, as a SHA points to an exact, unchangeable commit that requires a SHA-1 collision to compromise. Key points: - SHA pinning is the only way to use an action as an immutable release, mitigating risks from third-party actions that could access secrets or GITHUB_TOKEN. - Tags (e.g., v1) can be moved or deleted, even by trusted maintainers if compromised. - For trusted creators (e.g., verified on GitHub Marketplace), tags may be acceptable for convenience, but SHA is preferred. - Use full SHA (40 characters), verify from the official repo (not forks), and add comments like # v4.1.0 for readability and Dependabot updates. - GitHub policies (repo/org level) can enforce SHA pinning and block risky actions. - Avoid 'latest' or unpinned refs entirely. - Periodically update pins for security patches, using tools like Dependabot (which supports SHA with comments). Examples: uses: actions/checkout@692973e # v4.1.7
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions
- 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 4: https://docs.github.com/en/actions/reference/secure-use-reference
- 5: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 6: https://www.nearform.com/insights/why-you-should-pin-your-github-actions-by-commit-hash
- 7: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
Verrouiller les GitHub Actions avec des SHA immuables plutôt que des tags de version.
Les tags de version comme @v4 sont mutables — ils peuvent être déplacés ou supprimés, même par des mainteneurs de confiance en cas de compromission. Pour durcir la chaîne d'approvisionnement CI/CD, remplacer par des SHA complets (40 caractères), avec un commentaire indiquant la version pour la lisibilité et les mises à jour Dependabot.
Exemple : uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Cette recommandation s'applique aux lignes 12, 15, 26 et 38.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/license-checker.yml at line 12, Replace mutable GitHub
Action tags (e.g., the uses: actions/checkout@v4 entries and other similar uses:
actions/*@vX lines) with the corresponding immutable full 40-character commit
SHAs and append a comment with the human-readable tag (e.g., uses:
actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7); update
every occurrence of the short tag in the workflow (the checkout and other
actions referenced in this diff) to use their pinned SHAs and keep the version
comment for clarity and future Dependabot updates.
| npm ci | ||
| npx license-checker --production --json > licenses-frontend-production.json |
There was a problem hiding this comment.
Éviter l’exécution des scripts d’installation pendant le scan de licences.
npm ci exécute preinstall/postinstall. Ici, ce n’est pas nécessaire pour extraire les licences et ça augmente le risque supply-chain. Utilise --ignore-scripts dans les deux étapes.
🛡️ Correctif proposé
- name: Scan frontend
working-directory: frontend
run: |
- npm ci
+ npm ci --ignore-scripts
npx license-checker --production --json > licenses-frontend-production.json
@@
- name: Scan backend
working-directory: backend
run: |
- npm ci
+ npm ci --ignore-scripts
npx license-checker --production --json > licenses-backend-production.jsonAlso applies to: 34-35
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/license-checker.yml around lines 22 - 23, Modifier les
deux étapes qui exécutent "npm ci" et "npx license-checker --production --json >
licenses-frontend-production.json" pour éviter l'exécution des hooks
d'installation : ajoutez l'option --ignore-scripts à la commande npm ci (ex. npm
ci --ignore-scripts) et empêchez les scripts lors de l'appel à npx en
définissant la variable d'environnement NPM_CONFIG_IGNORE_SCRIPTS=1 autour de
l'exécution du licence-checker (ou équivalent), puis appliquez la même
modification pour l'autre paire de lignes mentionnées (les commandes aux lignes
34-35).
| working-directory: frontend | ||
| run: | | ||
| npm ci | ||
| npx license-checker --production --json > licenses-frontend-production.json |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Vérification de la présence de license-checker dans les manifests:"
for f in frontend/package.json backend/package.json package.json; do
if [ -f "$f" ]; then
echo "== $f =="
rg -n '"license-checker"' "$f" || true
fi
done
echo
echo "Vérification dans les lockfiles:"
for f in frontend/package-lock.json backend/package-lock.json package-lock.json; do
if [ -f "$f" ]; then
echo "== $f =="
rg -n '"license-checker"' "$f" | head -n 5 || true
fi
doneRepository: Mouette03/Filyo
Length of output: 214
🏁 Script executed:
cat -n .github/workflows/license-checker.ymlRepository: Mouette03/Filyo
Length of output: 1356
Ajouter license-checker en devDependencies et utiliser npm exec pour la reproductibilité.
L'utilisation de npx license-checker sans version figée crée des builds non reproductibles : npx peut récupérer une version différente du registre npm à chaque exécution.
Ajoute license-checker aux devDependencies (en frontend et backend), puis remplace npx license-checker par npm exec -- license-checker dans le workflow.
Changements requis au workflow
- name: Scan frontend
working-directory: frontend
run: |
npm ci
- npx license-checker --production --json > licenses-frontend-production.json
+ npm exec -- license-checker --production --json > licenses-frontend-production.json
@@
- name: Scan backend
working-directory: backend
run: |
npm ci
- npx license-checker --production --json > licenses-backend-production.json
+ npm exec -- license-checker --production --json > licenses-backend-production.json🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/license-checker.yml at line 23, The workflow currently
uses an unfixed npx invocation ("npx license-checker --production --json >
licenses-frontend-production.json") which causes non-reproducible runs; add
"license-checker" to devDependencies in both frontend and backend package.json
files and update the workflow step to call it via "npm exec -- license-checker
..." instead of npx so the job uses the pinned devDependency version and yields
reproducible results.
Signed-off-by: Damien <[email protected]>
1 participant
This pull request updates dependencies in the backend and improves Docker build caching in the GitHub Actions workflow. The main focus is on keeping backend packages up to date and optimizing Docker build performance for different database backends.
Dependency updates:
@fastifypackages (cors,jwt,multipart,static) to their latest major versions, as well asfastifyitself to version 5.x, andnodemailerto version 7.x inbackend/package.json.CI/CD improvements:
.github/workflows/docker.ymlto use cache scopes specific to each workflow and database backend (sqliteandmariadb), improving Docker layer caching efficiency and reducing build times. [1] [2]Summary by CodeRabbit
Notes de version